Skip to content
/ token-forge Public

Enterprise Identity Provider (IdP) with Custom OIDC and JWT Rotation.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Kimosabey/token-forge

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
backend
backend
 
 
docs
docs
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 

Repository files navigation

TokenForge

Thumbnail

Enterprise Distributed Identity System with OIDC & OAuth2

Status License Standard

TokenForge is a professional Authentication Platform built with NestJS. It implements the OIDC (OpenID Connect) standard, featuring a hybrid "Stateless Access / Stateful Refresh" architecture. It balances extreme horizontal scalability with surgical security controls like Instant Revocation and Automated Key Rotation.

🚀 Quick Start

Launch the Identity Infrastructure and Auth Service in one command:

# 1. Start DB & Redis
docker-compose up -d

# 2. Start Auth Service
cd backend && npm install && npm run start:dev

Detailed Setup: See GETTING_STARTED.md.

📸 Architecture & Patterns

Security Intelligence Dashboard

Dashboard Visualizing active sessions, token rotation logs, and system security levels.

System Architecture

Architecture Distributed Identity Provider implementing the OIDC standard.

Secure Identity Flow

Workflow OIDC Handshake -> JWT Generation -> Stateful Refresh in Redis.

Deep Dive: See ARCHITECTURE.md for the PKI logic.

✨ Key Features

  • 🛡️ OIDC Compliant: Provides /.well-known/openid-configuration and JWKS endpoints.
  • 🔑 Asymmetric RS256: High-security signing where only the Auth Service holds the Private Key.
  • 🔄 Token Family Rotation: Detects and stops token theft by invalidating entire lease families.
  • ⚡ Redis-Backed Sessions: Sub-millisecond session revocation and L7 rate limiting.

🏗️ The Protective Journey

How a user identity is forged and protected:

  1. Request: User submits credentials or OIDC redirect.
  2. Verify: Service validates against PostgreSQL via Bcrypt (Rounds=12).
  3. Forge: RS256 Private Key signs a stateless Access JWT (15m).
  4. Lease: A stateful Refresh Token is generated and pinned in Redis (7d).
  5. Rotate: On every refresh, the old token is burned and a new pair is issued (Rotation).
  6. Verify: Microservices download the Public Key via JWKS to verify tokens locally.

📚 Documentation

Document Description
System Architecture RS256 PKI design, dual-token patterns, and schema.
Getting Started Docker environment, OIDC config, and Test scripts.
Failure Scenarios Circuit breakers, emergency revocation, and fail-secure.
Interview Q&A "JWT vs Session", "RS256 vs HS256", and the Wristband Analogy.

🔧 Tech Stack

Component Technology Role
Auth Engine NestJS 10 Modular Identity Framework.
Durable Store PostgreSQL 16 User Profiles & RBAC.
Fast Store Redis 7 Refresh Tokens & Rate Limits.
Cryto Logic Passport.js Security Strategy Abstraction.

👤 Author

Harshan Aiyappa
Senior Full-Stack Hybrid AI Engineer
Voice AI • Distributed Systems • Infrastructure

Portfolio GitHub LinkedIn X

📝 License

This project is licensed under the MIT License - see the LICENSE file for details.

About

Enterprise Identity Provider (IdP) with Custom OIDC and JWT Rotation.

Topics

security distributed-systems oauth2 backend scalability auth oidc nestjs

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages